03-18-2015 03:45 PM
I have two ASA5512X firewalls in Active/Standby mode.
We want now to enable FirePOWER subscription- TAMC - IPS and Apps Updates plus URL Filtering and AMP Subscription
My customer does not want to buy the subscription for the standby firewall.
He needs the standby firewall to do only firewalling, routing and VPN in the event of a failure.
Is it technically possible?
Solved! Go to Solution.
03-23-2015 06:44 PM
technically it would work. The service policy would still direct the traffic through the FirePOWER module that's unlicensed (The base FirePOWER software would have to be installed but without any license or policies from FMC).
03-23-2015 06:44 PM
technically it would work. The service policy would still direct the traffic through the FirePOWER module that's unlicensed (The base FirePOWER software would have to be installed but without any license or policies from FMC).
03-23-2015 11:20 PM
Thanks Marvin for your response.
03-24-2015 05:10 AM
You're welcome. Please mark your question as answered if it has been.
06-04-2015 05:11 AM
Hello Marvin,
I'm exactly in same situation : buy a license for a standby firewall seems pretty useless (in my case).
You said that technically it will work, but is this asymmetric configuration officially supported ?
Is that possible that TAC refuse to troubleshoot a potential issue in this configuration ?
Thanks
Marc
06-04-2015 06:15 AM
It's not an issue of TAC support. From the point of view of the FireSIGHT Management Center, you have two separate managed ASA's, each with a different set of policies applied.
The problem is that your desired security level - with intrusion, URL and potentially file (AMP) policies - cannot be applied to a module without the prerequisite license. So you need to make two sets of policies - one for the fully licensed module and one for the partially licensed module. Depending on what licenses you have on the latter, your security protection may suffer during a failover scenario until you've restored the primary unit to operation.
Operationally you could go in and "unlicense" the failed module and apply that license to the operational one and then reapply the more secure policy set. That's a lot more headache and opportunity for human error than is advisable for most customers though.
06-04-2015 08:41 AM
Thank you for your answer Marvin !
11-05-2015 08:41 AM
I have 2 ASA 5525X FirePOWER added to my FireSIGHT manager, I added FireSIGHT host and User license, and 2 Malware Licenses for ASA5525, but My Devices License Type shows 'Unlicensed".
I don't know where to start fixing this, I'm with SourceFire stuff.
I don't know, maybe I'm missing something
Please help
11-05-2015 02:02 PM
Hi Sandile,
You need to edit the device and add the license that you have uploaded to the Management Centre.
11-05-2015 04:18 PM
Hi Sandi,
Please add the PROTECT+CONTROL license for the ASA5525, there should be a PAK sent along with the device. Please register the PAK to obtain the license for "PROTECT+CONTROL".
- DD
11-06-2015 01:26 AM
The PAKs I got gave me only the licenses you see on the images. Part number L-ASA5525-TAMC
11-06-2015 04:04 AM
Sandile,
The Protect+Control PAK is delivered as a paper PAK in the box with the appliance. It is a zero cost item delivered with all FirePOWER modules. If it has been misplaced, the vendor can call it up on the Cisco ordering system.
You need to redeem that PAK and apply the license as a prerequisite for any of the other licenses.
08-25-2017 11:53 AM
Hi Marvin,
Thank you for your iput. Perhaps this is a matter of symantics with the words licensing vs subscription which is why I need clarification. I have two ASA5512X Appliances with FirePower Services (ASA5512-FPWR-K9) in Active/Standby mode. I am now looking to purchase the necessary subscription, specifically "Cisco ASA with FirePOWER Services IPS, Advanced Malware Protection and URL Subscription" (Mfg. Part#: L-ASA5512-TAMC-1Y). Do I need to purchase a quantity of two subscriptions - one for each appliance? In other words, do I need to purchase a subscription for the standby unit? Thank you!
08-25-2017 09:19 PM
10-26-2017 07:40 AM
I have the same situation. This answer is helpful. Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide